Browsers Take a Bruising

By Lisa Vaas |
Posted 2007-02-23

Polish hacker Michal Zalewski has found yet another flaw in Mozilla's Firefox browser, this one having to do with memory corruption and possible system takeover. While he was at it, he also found an IE flaw that sets up malicious pages that won't let visitors leave. And that taunt the trapped user while they're at it--at least in his funny demo.

He has posted a demo that displays a crash in Firefox that he says is caused by corrupted pointers. It also caused a crash when I visited it in IE, FWIW.

"Firefox is susceptible to a seemingly pretty nasty, and apparently easily exploitable memory corruption vulnerability," he writes. "When a location transition occurs and the structure of a document is modified from within onUnload event handler, freed DOM-related memory structures are left in inconsistent state, possibly leading to a remote compromise."

Mozilla's security people are looking into the flaw, which Mozilla has deemed critical.

The IE 7 bugit might be in other browsers too, he saidis a combination of what Zalewski calls a "boneheaded" JavaScript onUnload handler design in many browsers and a flawed method of handling page transitions.

"...[It] effectively allows a malicious page to prevent the visitor from leaving the site...," he wrote. "This enables the attacker not only to trap a visitor, but also pretend that his attempt to navigate to an unrelated webpage was successfulwhich enables all sorts of spoofing and phishing attacks. To test for the vulnerability, simply try manually navigating to google.com, cnn.com, slashdot.org, or some other site of your choice. You need to have Javascript enabled."

Here's his description of the bug, but don't go there without expecting to witness the demo firsthand.

Zalewski has been putting out Firefox bugs steadily all month. Earlier in the week, Zalewski posted a Firefox flaw having to do with cookies that are open to change by attackers. Later in the week he reported a bug wherein blank windows sans URLs or reload buttons were popping up and making malicious sites come off as legit.